Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11291

Log the cause of SASL connection failures

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.5.0
    • 2.7.0
    • security
    • Reviewed

    Description

      UGI#doAs will no longer log a PriviledgedActionException unless LOG.isDebugEnabled() == true. HADOOP-10015 made this change because it was decided that users calling UGI#doAs should be responsible for logging the error when catching an exception. Also, the log was confusing in certain situations (see more details in HADOOP-10015).

      However, as Daryn noted, this log message was very helpful in cases of debugging security issues.

      As an example, we would use to see this in the DN logs before HADOOP-10015:

      2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - NO PREAUTH)]
      2014-10-20 11:28:02,112 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
      2014-10-20 11:28:02,112 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:hdfs/hostA.com@REALM.COM (auth:KERBEROS) cause:java.io.IOException: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
      

      After the fix went in, the DN was upgraded, and only logs:

      2014-10-20 14:11:40,712 WARN org.apache.hadoop.ipc.Client: Couldn't setup connection for hdfs/hostA.com@REALM.COM to hostB.com/101.01.010:8022
      2014-10-20 14:11:40,713 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Problem connecting to server: hostB.com/101.01.010:8022
      

      It'd be good to add more logging information about the cause of a SASL connection failure.

      Thanks to Harsh J for reporting this.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            schu Stephen Chu Assign to me
            schu Stephen Chu
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment